Vulnerabilities

A bill of materials becomes valuable the moment you check it against known security issues. TraceUnified matches your components to published vulnerabilities, so you know which dependencies carry risk and how serious it is.

Matching components to known issues

Because components are identified by package URL, they can be matched precisely against vulnerability data drawn from public sources such as the NVD and OSV advisory feeds. The result is a list of the CVEs that affect the specific package versions in your SBOM — not a vague warning, but the actual known issues for what you ship.

CVSS and severity

Each vulnerability carries its CVSS score and vector and a severity rating — Critical, High, Medium, or Low. Severity lets you triage: address the critical and high issues first, and understand the overall risk a component brings before deciding what to do about it. The vector explains why a score is what it is, which matters when you’re judging real-world exposure.

Affected and fixed versions

A vulnerability record shows the affected versions and, where available, the version that resolves it — so the remediation path is clear. Often the fix is simply upgrading the component to a release that’s no longer affected, and having the fixed version in front of you turns triage into a concrete action.

Which components, and what’s at stake

The vulnerability view ties each issue back to the component it affects, so you can see at a glance which parts of your supply chain are exposed and how severely. Because components sit on the thread, that exposure connects to your risk analysis rather than living in a separate scanner report.

Keeping watch over time

New vulnerabilities are disclosed constantly, so a component that’s clean today may not be tomorrow. How TraceUnified reacts when a new CVE lands against a component already in your product — flagging the affected work as suspect — is covered in Suspect propagation, in part two of this section.